E3’s organizer apologizes after revealing information for thousands of journalists

The Entertainment Software Association issued an apology of sorts after making available the contact information for more than 2,000 journalists and analysts who attended this year’s E3.

“ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public,” the organization said via statement. “Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this this occurrence and have put measures in place to ensure it will not occur again.”

It’s not clear whether the organization attempted to reach out to those impacted by the breach.

In a kind of bungle that utterly boggles the mind in 2019, the ESA had made available on its site a full spreadsheet of contact information for thousands of attendees, including email addresses, phone numbers and physical addresses. While many or most of the addresses appear to be businesses, journalists often work remotely, and the availability of a home address online can present a real safety concern.

After all, many gaming journalists are routinely targets of harassments and threats of physical violence for the simple act of writing about video games on the internet. That’s the reality of the world we currently live in. And while the information leaked could have been worse, there’s a real potential human consequence here.

That, in turn, presents a pretty compelling case that the ESA is going to have a pretty big headache on its hands under GDPR. Per the rules,

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

There is, indeed, a pretty strong argument to made that said breach could “result in a risk to the rights and freedoms of natural persons.” Failure to notify individuals in the allotted time period could, in turn, result in some hefty fines.

It’s hard to say how long the ESA knew about the information, though YouTuber Sophia Narwitz, who first brought this information to light publicly, may have also been the first to alert the organization. The ESA appears to have been reasonably responsive in pulling the spreadsheet down, but the internet is always faster, and that information is still floating around online and fairy easily found.

VentureBeat notes rightfully that spreadsheets like these are incredibly valuable to convention organizations, representing contact information some of the top journalists in any given industry. Many will no doubt think twice before sharing this kind of information again, of course.

Notably (and, yes, ironically), the Black Hat security conference experienced a similar breach this time last year. It chalked the issue up to a “legacy system.”

Natasha Lomas contributed to this report

Update: An email has since been sent to those impacted, noting,

We provide ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing. For more than 20 years there has never been an issue. When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website.

Again, we apologize for the inconvenience and have already taken steps to ensure this will not happen again.